b'\x0c                              Pension Benefit Guaranty Corporation\n                                                               Office of Inspector General\n                                                 1200 K Street, NW, Washington, DC 20005-4026\n\n\n\t\t\t\t\t\t\t\t\t                                                                                 July 14, 2010\t\nThe Board of Directors\nPension Benefit Guaranty Corporation\n\nDuring the six month period covered by this report, the PBGC Office of Inspector General issued\nseven audit and evaluation reports with 67 recommendations for improvement. We completed\n2 investigations, resolved 31 complaints, and continued investigative work on 3 cases that were\naccepted for prosecution by U.S. Attorneys\xe2\x80\x99 Offices during the prior semiannual period.\n\nRecent Audit Reports. PBGC OIG has issued seven reports since our prior Semiannual Report to\nCongress.\n\n \xe2\x80\xa2\t FY 2009 Financial Statements Audit Reports.  Four reports were issued in connection with our\n    audit of PBGC\xe2\x80\x99s annual financial statements, including (1) a report presenting the 17th consecutive\n    unqualified opinion on PBGC\xe2\x80\x99s general-purpose financial statements, as well as an adverse opinion\n    on PBGC\xe2\x80\x99s system of internal control; (2) a detailed internal control report discussing PBGC\xe2\x80\x99s three\n    significant deficiencies; (3) a report presenting an unqualified opinion on PBGC\xe2\x80\x99s special-purpose\n    financial statements that are consolidated into the Financial Report of the U.S. Government;\n    and (4) a management letter report identifying less significant matters related to PBGC internal\n    controls and operations.\n\n \xe2\x80\xa2\t FY 2009 Federal Information Security Management Act (FISMA) Independent Evaluation Reports.\n    FISMA requires Inspectors General to conduct independent annual evaluations of agencies\xe2\x80\x99\n    information security programs and practices and to report the results to OMB.  During this\n    semiannual period, we issued two documents detailing our work in this area \xe2\x80\x93 our submission to\n    OMB describing the overall results of our independent evaluation of PBGC\xe2\x80\x99s information security\n    programs and practices and a more detailed report providing additional information on the results\n    of Clifton Gunderson\xe2\x80\x99s review of the PBGC information security program.\n\n \xe2\x80\xa2\t FY 2009 Vulnerability Assessment, Penetration Testing, and Social Engineering Report.  This\n    restricted disclosure report detailed the results of Clifton Gunderson\xe2\x80\x99s assessment of the PBGC\n    information security infrastructure; this review was conducted to discover possible weaknesses\n    in logical security controls and to exploit discovered vulnerabilities. The report identified major\n    issues of concern and suggested that PBGC management: (1) ensure that PBGC systems have the\n    most current patches and updates for all systems and (2) implement standardized procedures,\n    including best practices to strengthen or harden the configuration of PBGC\xe2\x80\x99s operating systems\n    and applications.\n\n\nOpen Audit Recommendations. During the six month period, we continued to work closely with\nPBGC management to address 201 open recommendations. While we were able to close only nine\nrecommendations during the period, PBGC did make significant progress toward developing a\nstrategy to address the root causes of many of the recommendations that remain open.\nAs part of our effort to ensure that we focus on the most important issues for PBGC, we identified\n\x0ccertain audit recommendations that , if implemented, would go far toward addressing\nsome of PBGC\xe2\x80\x99s long-standing internal controls weaknesses. Implementing these\nkey recommendations is important for PBGC\xe2\x80\x99s future effectiveness and efficiency.\nRecommendations that warrant particular attention from PBGC\xe2\x80\x99s management\ninclude:\n\n  \xe2\x80\xa2\t Completion of the certification and accreditation for all major applications and\n     general support systems. While this recommendation, as well as others related\n     to PBGC\xe2\x80\x99s information security, will not be fully implemented in the near future,\n     we are pleased that PBGC is beginning to actively address the serious information\n     technology issues and the substantial risks they pose for PBGC\xe2\x80\x99s ability to carry\n     out its mission. We have recently seen concrete steps by PBGC to correct existing\n     weaknesses and I am particularly encouraged by the transparency in recent\n     communication between OIG and the Office of Information Technology.\n\n  \xe2\x80\xa2\t Development of written guidelines for the Securities Lending Program.  We\n     continue to work closely with PBGC management as guidance is being developed.\n     The Corporation has been responsive to our feedback; we look forward to the\n     resulting enhancements.\n\n  \xe2\x80\xa2\t Creation of a single source for PBGC procurement procedures and assignment\n     of responsibility for monitoring contract administration. This recommendation\n     encompasses many of the other 50 open contracting-related recommendations.\n     PBGC has recently committed to working with OIG to ensure that these\n     outstanding recommendations are implemented fully both in letter and spirit.\n\n\nFor each of these recommendations, PBGC management has committed to an\napproach that we believe has the potential to address the underlying issues we\nreported. We appreciate PBGC\xe2\x80\x99s commitment and stand ready to assist in working\nthrough these key recommendations.\n\nClosed Investigation. Pursuant to a Congressional request, we had opened a criminal\ninvestigation into the former Director\xe2\x80\x99s involvement during the procurement process\nused to select investment managers to execute PBGC\xe2\x80\x99s investment policy. This\ninvestigation was worked at the direction of the U.S. Attorney\xe2\x80\x99s Office for the Southern\nDistrict of New York.  We have notified the requesting Senators that we concluded our\ninvestigation and that no charges were filed.\n\nSincerely,\n\n\n\n\nRebecca Anne Batts\nInspector General\n\x0cTable of Contents\nLetter to the Board of Directors\n\n\nExecutive Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\n\nIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\t      The Pension Benefit Guaranty Corporation\n\t      The Office of Inspector General\n\nManagement Challenges\nOIG\xe2\x80\x99s Annual Audits of PBGC\xe2\x80\x99s Financial Statements . . . . . . . . . . . . . . . . . . . . . . . 5\n\t      Audit of the PBGC\xe2\x80\x99s Fiscal Year 2009 and 2008 Financial Statements\n\t      Report on Internal Control Related to the PBGC\xe2\x80\x99s Fiscal Year 2009 and 2008\n\t            Financial Statements Audit\n\t      Audit of the PBGC\xe2\x80\x99s Fiscal Year 2009 and 2008 Special-Purpose Financial Statements\n\t      Fiscal Year 2009 Financial Statements Audit Management Letter\n\t\nOIG\xe2\x80\x99s Audits and Investigations of PBGC\xe2\x80\x99s Information Security . . . . . . . . . . . 11\n\t      FY2009 Federal Information Security Management Act (FISMA) Submission to\n\t            the Office of Management and Budget\n\t      FY2009 Vulnerability Assessment, Penetration Testing, and Social Engineering\n\t            Report\n\t      FY2009 Federal Information Security Management Act (FISMA) Independent\n\t            Evaluation Report\n\t       PBGC\xe2\x80\x99s Corrective Action Plans for IT Issues\n\t      Protecting Sensitive and Personally Identifiable Information\n\n\nPBGC and OIG Working to Address Backlog of Unimplemented Audit\nRecommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16\n\nCongressional Request - PBGC\xe2\x80\x99s Most Critical Open Recommendations . . . 17\n\n\nOther OIG Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  .18\n\t      Access to Information\n\t      Management Decisions\n\nOther Office of Inspector General Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19\n\t        Review of Proposed Statutory and Regulatory Changes\n\t        Congress Remains Concerned About Inspector General Independence\n         External and Internal Professional Activities\n\n\n\n\n                                                Semiannual Report Of The Inspector General\xe2\x80\x94March 2010                                      iii\n\x0cAppendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21\n\t        Cross-Reference to Reporting Requirements of the Inspector General Act\n\t        Summary of Audit and Investigative Activities\n\t        Results of Reports Issued\n\t        Summary of Reports Older Than 6 Months for Which Management\n              Decision Has Not Been Achieved\n\t        Previously Reported Significant Recommendations for Which Corrective\n              Action Has Not Been Completed\n\n\n\n\n                   IV                            PBGC Office of inspector general\n\x0cExecutive Summary\nThis Semiannual Report to Congress summarizes the activities and accomplishments\nof the Pension Benefit Guaranty Corporation (PBGC) Office of Inspector General\n(OIG) for the period October 1, 2009 through  March 31, 2010.  During this reporting\nperiod, our work primarily focused in the areas of financial and information\ntechnology:\n\n \xe2\x80\xa2\t We issued the 17th consecutive unqualified opinion on PBGC\xe2\x80\x99s general purpose\n    financial statements, with an adverse opinion on internal control based on 3\n    significant deficiencies that, taken together, comprise a material weakness (see\n    pages 6-7).\n \xe2\x80\xa2\t We issued a report on internal control that detailed the underlying material\n    weakness: entity-wide security program planning and management; access\n    controls and configuration management, and integrated financial management\n    systems. A contributing factor to the material weakness was PBGC\xe2\x80\x99s incorrect\n    reporting about progress in correcting the deficiencies (see pages 7-10).\n \xe2\x80\xa2\t We also issued an audit report on the special purpose financial statements and a\n    management letter discussing less significant internal control matters (see pages\n    10-11).\n \xe2\x80\xa2\t Our information technology (IT) audit work included two FISMA reports, one\n    the required OMB submission and a second narrative report with detailed\n    information about additional IT security findings that were not reported in the\n    internal control report (see pages 11-12).\n \xe2\x80\xa2\t The results of our IT vulnerability assessment and penetration testing revealed a\n    number of vulnerabilities and areas of concern (see pages 12-13).\n \xe2\x80\xa2\t Two of our investigations and other audit work examined PBGC\xe2\x80\x99s protection of\n    personally identifiable information (PII), finding an instance in which a breach\n    had occurred and one where it had not, controls around reporting breaches to\n    US CERT which needed strengthening, and noting PBGC\xe2\x80\x99s actions to address prior\n    findings (see pages 14-15).\n\nAnother focus was following up on the backlog of unimplemented audit\nrecommendations. In response to a letter Congressman Issa (R-CA) sent to each\nInspector General, we identified the three open audit recommendations we consider\nto be of critical importance: (1) completion of certification and accreditation of\nall major IT applications and general support systems; (2) development of written\nguidance for the Securities Lending Program, and (3) creation of a single source for\nprocurement procedures and assignment of responsibility for monitoring contract\nadministration (see pages 16-17).\n\n\n\n\n                             Semiannual Report Of The Inspector General\xe2\x80\x94March 2010      1\n\x0c2   PBGC Office of inspector general\n\x0cIntroduction\n                                                                                                    PBGC Board\nThe Pension Benefit Guaranty Corporation\n                                                                                                 Responded Promply\nThe Pension Benefit Guaranty Corporation (PBGC or the Corporation) was established                 to Our Interim\nunder Title IV of the Employee Retirement Income Security Act of 1974 (ERISA),\nas amended (29 U.S.C. \xc2\xa7\xc2\xa7 1301-1461), as a self-financing, wholly-owned Federal                         Report\ngovernment corporation to administer the pension insurance program. ERISA requires\nthat PBGC: (1) encourage the continuation and maintenance of voluntary private\npension plans, (2) provide for the timely and uninterrupted payment of pension\nbenefits to participants and beneficiaries, and (3) maintain premiums at the lowest               PBGC insures the\nlevel consistent with carrying out PBGC\xe2\x80\x99s obligations.                                           pension benefits of\n\nFor about 44 million Americans, PBGC provides assurance that their retirement                     about 44 million\nbenefits will be paid, up to a statutory limit. PBGC protects the pensions of participants          Americans.\nin certain defined benefit pension plans (i.e., plans that promise to pay definitely\ndeterminable retirement benefits). Such defined benefit pension plans may be\nsponsored individually or jointly by employers and unions. PBGC is now responsible\nfor the pensions of about 1.3 million people.\n\nDuring FY 2009, PBGC managed about $70 billion in assets and paid about $4.5 billion\nin benefits to almost 744,000 retirees and beneficiaries. The Corporation reports\nhaving sufficient liquidity to meet its obligations for a number of years, despite a\ncumulative deficit of $21.9 billion from the single-employer and multiemployer\nprograms. Neither program at present has the resources to satisfy all of the benefit\nobligations already incurred, much less future obligations likely to be assumed.\n\nPBGC\xe2\x80\x99s governance structure comprises the Board of Directors, their Board\nRepresentatives, a Presidentially-appointed Director, and Congressional oversight.\nOther elements of governance include PBGC\xe2\x80\x99s system of internal control, its clearly\narticulated authority to act, and the policies and procedures under which PBGC\noperates. PBGC governance is complex and requires those who are charged with its\noversight to view the Corporation from a number of differing perspectives. Oversight\nby the PBGC Board, PBGC management and the OIG is critical to effective corporate\ngovernance.\n\nThe Office of Inspector General\nOur Office of Inspector General (OIG) was created under the 1988 amendments to the\nInspector General Act of 1978. We provide an independent and objective voice that\nhelps the Congress, the Board of Directors, and PBGC protect the pension benefits of\nAmerican workers. Like all Offices of Inspector General, the PBGC OIG is charged with\nproviding leadership and recommending policies and activities designed to prevent\nand detect fraud, waste, abuse, and mismanagement; conducting and supervising\nindependent audits and investigations; and recommending policies to promote sound\neconomy, efficiency, and effectiveness.\n\n\n\n                                  Semiannual Report Of The Inspector General\xe2\x80\x94March 2010      3\n\x0c                             To provide value, we focus our work on the challenges facing PBGC. We strive to target\n                             the highest risk areas and emphasize timely reporting of results. We determine what we\n                             will investigate and audit and how we will conduct those investigations and audits. We\n                             determine our own priorities and have had our own independent legal counsel since\n                             1990. Our audit and investigative staff is competent and experienced, with professional\n                             backgrounds in other Offices of Inspector General, independent accounting firms, and\n                             federal criminal investigative agencies. We independently respond to Congressional\n                             requests and initiate contact with Congress, as warranted.\n\n                             The OIG is in full compliance with the Quality Standards for Federal Offices of Inspector\n                             General, published by the President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) and\n                             the Executive Council on Integrity and Efficiency (ECIE). Our audit work is performed\n                             in compliance with Generally Accepted Government Auditing Standards, issued by\n     PBGC Board              the Comptroller General of the United States and our investigations are performed in\n Responded Promply           compliance with PCIE and ECIE Quality Standards for Investigations.\n\n    to Our Interim           The PBGC OIG is organizationally independent. The Inspector General reports directly\n       Report                to the highest level of PBGC governance, the PBGC Board and to Congress. In executing\n                             our independent oversight role, we perform a range of legally-mandated work (e.g.,\n                             the annual financial statement audit and the annual Federal Information Security\n                             Management Act review) as well as a body of discretionary work.\n      The OIG is\n\n  organizationally\n\n  independent and\n\n  reports to PBGC\xe2\x80\x99s\n\nBoard of Directors and\n\n      Congress.\n\n\n\n\n                         4   PBGC Office of inspector general\n\x0cManagement Challenges\nFY 2009 was a challenging year for Pension Benefit Guaranty Corporation (PBGC)\nacross all departments. In its Annual Report, PBGC reported that:\n\n  \xe2\x80\xa2\t 135 plan sponsors filed for bankruptcy, an increase of more than threefold over\n     2008, including General Motors, Chrysler, Delphi, Lehman Brothers and Circuit\n                                                                                                     PBGC Board\n     City, creating cases that were extremely complicated and required large multi-\n     disciplinary teams across PBGC.                                                             Responded Promply\n  \xe2\x80\xa2\t It assumed responsibility for 129 terminated pension plans with almost 201,000                 to Our Interim\n     participants \xe2\x80\x93 the third largest number of participants in the past 10 years.\n                                                                                                        Report\n  \xe2\x80\xa2\t It paid nearly $4.5 billion in benefits to almost 744,000 people and issued nearly\n     103,000 final benefit determinations.\nThough PBGC received significant assets from terminated pension plans, our audit of\nthe financial statements reported that PBGC has a $21.9 billion deficit to meet its long-         The investigation\nterm obligation, as compared with the $11.2 billion deficit reported at the close of FY          of the former PBGC\n2008.\n                                                                                            Director, worked under\n Between October 1, 2009 and March 31, 2010, the PBGC Office of Inspector General\n                                                                                            the direction of the U.S.\n(OIG) issued seven audit and evaluation reports, two reports of investigation and two\nmanagement advisories. We also initiated three new investigations, and closed 42                Attorney\xe2\x80\x99s office in the\ninvestigations and complaints.  As of March 31, 2010, we are actively working three\n                                                                                                 Southern District of\ncriminal cases with various U. S. Attorneys\xe2\x80\x99 offices. During the period, we closed our\ninvestigation of the former PBGC Director without charges. That investigation, which            New York, was closed\nhad been opened in response to a bipartisan request from PBGC\xe2\x80\x99s Senate oversight\n                                                                                                  without charges.\ncommittees, was worked under the direction of the Office of Public Corruption of the\nU. S. Attorney\xe2\x80\x99s Office in the Southern District of New York.  \n\n\nOIG\xe2\x80\x99s Annual Audits of PBGC\xe2\x80\x99s Financial Statements\nWe contracted with an independent certified public accounting firm, Clifton\nGunderson LLP, to audit the financial statements of the Single-Employer and\nMultiemployer Program Funds administered by  PBGC, as of and for the years\nended September 30, 2009 and 2008.  The audit was conducted in accordance with\nauditing standards generally accepted in the United States of America; Government\nAuditing Standards, issued by the Comptroller General of the United States; Office of\nManagement and Budget Bulletin No. 07 04, Audit Requirements for Federal Financial\nStatements, as amended; and the Government Accountability Office / President\xe2\x80\x99s\nCouncil on Integrity and Efficiency Financial Audit Manual.\n\nThe annual financial statements audit reports include:\n\n  \xe2\x80\xa2\t A report presenting the 17th consecutive unqualified opinion on PBGC\xe2\x80\x99s general-\n     purpose financial statements, as well as an adverse opinion on PBGC\xe2\x80\x99s system of\n     internal control;\n\n                                  Semiannual Report Of The Inspector General\xe2\x80\x94March 2010     5\n\x0c                              \xe2\x80\xa2\t A detailed internal control report discussing PBGC\xe2\x80\x99s three significant deficiencies\n                                 which, combined, comprise a material weakness and form the basis for the adverse\n                                 opinion;\n                              \xe2\x80\xa2\t A report presenting an unqualified opinion on PBGC\xe2\x80\x99s special-purpose financial\n                                 statements that are consolidated into the Financial Report of the U.S. Government;\n                                 and\n                              \xe2\x80\xa2\t A management letter report identifying less significant matters related to PBGC\n                                 internal controls and operations that were not deemed significant enough for\n                                 inclusion in the internal control report.\n\n\n                            Audit of the Pension Benefit Guaranty Corporation\xe2\x80\x99s\n                            Fiscal Year 2009 and 2008 Financial Statements\n                            AUD-2010-1/FA-09-64-1\n                            (http://oig.pbgc.gov/audit/2010/pdf/FA-09-64-1.pdf )\n\n                            Unqualified opinion on financial statements\n\nPBGC received its           Our audit of PBGC\xe2\x80\x99s Single-Employer and Multiemployer Program\n                            Funds concluded that the financial statements were presented\n17th consecutive            fairly, in all material respects, in conformity with accounting principles generally\nunqualified financial       accepted in the United States of America. This is the seventeenth consecutive\n                            unqualified or \xe2\x80\x9cclean\xe2\x80\x9d opinion on PBGC\xe2\x80\x99s financial statements.\nstatement audit\n\nopinion.                    Our report included other information that is important to understanding PBGC\xe2\x80\x99s\n                            financial position.  By law, PBGC\xe2\x80\x99s Single-Employer and Multiemployer Program Funds\n                            must be self-sustaining.  However, over a long course of years, PBGC has operated in a\n                            deficit position \xe2\x80\x93 i.e., its long-term liabilities to pay the pension benefits to participants\n                            in terminated pension plans exceed its assets.  As of September 30, 2009, PBGC reported\n                            net deficit positions in the Single-Employer Program Fund of $21,077 million and in the\n                            Multiemployer Program Fund of $869 million.  While PBGC has been able to meet its\n                            short-term benefit obligations, as noted in our audit report and discussed in Note 1 to\n                            the financial statements, PBGC management believes that neither program at present\n                            has the resources to fully satisfy PBGC\xe2\x80\x99s long-term obligations to plan participants.\n\n                            As an insurer, PBGC is required to estimate the loss exposure that is reasonably possible\n                            as a result of unfunded vested benefits in not-yet-terminated pension plans. Our report\n                            explained that PBGC estimated the loss exposure that is reasonably possible for the\n                            Single-Employer and Multiemployer Programs to be $167,864 million and $326 million,\n                            respectively.  For the Single-Employer Program, PBGC estimated this liability using data\n                            for FYs ending in calendar year 2008 from filings and submissions to the government\n                            (which was the latest available) and from corporate annual reports. This estimated\n                            liability amount has not been adjusted for economic conditions through September 30,\n                            2009.  As a result the exposure to loss for the Single-Employer Program as of September\n                            30, 2009, could be substantially different from the estimate reported in PBGC\xe2\x80\x99s financial\n                            statements.\n\n\n\n\n                        6   PBGC Office of inspector general\n\x0cCompliance with Laws and Regulations\n\nOur tests of PBGC\xe2\x80\x99s compliance with selected laws and regulations did not disclose any\ninstances of reportable non-compliance.  However, because the objective of the audit\nwas not to provide an opinion on overall compliance with laws and regulations, no\nsuch opinion was expressed.\n\nAdverse Opinion on Internal Control\n\n We reported that PBGC had not maintained effective internal control over financial\nreporting (including safeguarding assets) and compliance with laws and regulations\nand its operations as of September 30, 2009.  The material weakness described below\nwas serious enough to result in the expression of an adverse opinion on internal\ncontrol.\n\nThree significant deficiencies were reported, including deficiencies in PBGC\xe2\x80\x99s (1)\nentity-wide security program planning and management, (2) access controls and\nconfiguration management, and (3) integrated financial management systems. The\ncombination of significant deficiencies in PBGC\xe2\x80\x99s internal control was considered to be\na material weakness.                                                                            PBGC\xe2\x80\x99s material\n\n                                                                                              weakness resulted in\nThe adverse opinion on internal control was based in part, on PBGC\xe2\x80\x99s incorrect\nreporting about progress in addressing previously reported weaknesses noted in its            an adverse opinion on\nentity-wide information security management program. PBGC\xe2\x80\x99s incorrect reporting\n                                                                                                internal control.\nhad a negative effect on PBGC\xe2\x80\x99s strategic decisions and on the prioritization of\nresources for resolving deficiencies in PBGC\xe2\x80\x99s IT infrastructure. Since the time of\nour report, PBGC has initiated efforts in the reorganization and improvement of its\nsecurity planning and management through the design and implementation of a\nmore coherent strategy to manage its information systems. However, these efforts are\nnot complete, and additional time is needed for further strategy development and\nimplementation.\n\n\nReport on Internal Control Related to the\nPension Benefit Guaranty Corporation\xe2\x80\x99s\nFiscal Year 2009 and 2008 Financial Statements Audit\nAUD-2010-2/FA-09-64-2\n(http://oig.pbgc.gov/audit/2010/pdf/FA-09-64-1.pdf )\n\nAs part of the annual financial statements audit discussed above, Clifton Gunderson\nprepared an internal control report to provide more detailed discussions of the\nspecifics underlying the significant deficiencies and material weakness reported in\nthe internal control opinion of the combined Independent auditor\xe2\x80\x99s report. PBGC\xe2\x80\x99s\nresponse to this internal control report indicated management\xe2\x80\x99s agreement with\nand their commitment to addressing each recommendation, and to remediating the\nassociated material weakness.\n\n\n\n\n                                 Semiannual Report Of The Inspector General\xe2\x80\x94March 2010    7\n\x0c                                 The internal control report provided details about significant deficiencies in the\n                                 following areas, which combined constitute a material weakness:\n\n                                 1.  Entity-wide Security Program Planning and Management;\n                                 2.  Access Controls and Configuration Management; and\n                                 3.  Integrated Financial Management Systems.\n\n                                 The combination of these three significant deficiencies constituted a material\n                                 weakness in internal control.\n\n                                   \xe2\x80\xa2\t Entity-wide Security Program Planning and Management \xe2\x80\x93 We reported that,\n                                      overall, PBGC\xe2\x80\x99s entity-wide security program lacked focus and a coordinated effort\n                                      to adequately resolve control deficiencies. These deficiencies prevented PBGC\n                                      from implementing effective security controls to protect its information from\n                                      unauthorized access, modification, and disclosure.\n\n                                     An entity-wide information security management program is the foundation of a\n   Three IT-related                  security control structure and a reflection of senior management\xe2\x80\x99s commitment\nsignificant deficiencies             to addressing security risks. The security management program should establish\n                                     a framework and continuous cycle of activity for assessing risk, developing and\ncomprise the material                implementing effective security procedures, and monitoring the effectiveness of\n      weakness.                      these procedures.\n\n                                       During FY 2009, PBGC leadership incorrectly reported progress in addressing\n                                       entity-wide security management weaknesses, despite the differences between\n                                       what was reported and PBGC\xe2\x80\x99s own assessment of the state of its IT infrastructure\n                                       and environment. PBGC\xe2\x80\x99s assessment of its IT infrastructure and environment\n                                       noted fundamental weaknesses in its architecture and design that prohibited\n                                       the implementation of effective controls. Communication between PBGC\xe2\x80\x99s key\n                                       decision makers did not convey the urgent need for decisive strategic decisions\n                                       and actions to correct fundamental weaknesses in PBGC\xe2\x80\x99s IT infrastructure and\n                                       environment. Resources were inappropriately allocated to address certain control\n                                       weaknesses, even though underlying IT architecture and design issues prevented\n                                       successful mitigation of these weaknesses.\n\n\n                                   \xe2\x80\xa2\t Access Controls and Configuration Management \xe2\x80\x93 We reported that PBGC\xe2\x80\x99s\n                                      decentralized approach to system development, system deployment, and\n                                      configuration management created an environment that lacked a cohesive\n                                      structure in which to implement controls and best practices. Weaknesses in the\n                                      IT environment contributed to deficiencies in system configuration, segregation\n                                      of duties, role-based access controls, and monitoring.  Furthermore, PBGC\xe2\x80\x99s\n                                      information systems were overlapping and duplicative, employing obsolete and\n                                      antiquated technologies that were costly to maintain.\n\n                                     The state of PBGC\xe2\x80\x99s IT environment led to increased IT staffing, manual\n                                     workarounds, additional reconciliation procedures, extensive manipulation,\n\n\n                           8   PBGC Office of inspector general\n\x0c   and excessive manual processing.  However, these compensating controls were\n   ineffective in mitigating system control weaknesses.\n\n   Ineffective access and configuration management controls did not provide                        The incorrect\n   PBGC with sufficient assurance that financial information and financial assets\n                                                                                                   reporting of\n   are adequately safeguarded from inadvertent or deliberate misuse, fraudulent\n   use, improper disclosure, or destruction. Access controls should be in place                 progress to address\n   to consistently limit, detect inappropriate access to computer resources (data,\n                                                                                                  IT weaknesses\n   equipment, and facilities), or monitor access to computer programs, data,\n   equipment, and facilities, thereby protecting against unauthorized modification,             contributed to the\n   disclosure, loss, or impairment. Configuration management and control\n                                                                                                adverse opinion on\n   procedures are critical to establishing an initial baseline of hardware, software, and\n   firmware components and subsequently controlling and maintaining an accurate                  internal control.\n   inventory of any changes to the system.\n\n\n \xe2\x80\xa2\t Integrated Financial Management Systems \xe2\x80\x93 As reported in prior year audits, the\n    risk of inaccurate, inconsistent, and redundant data was increased because PBGC\n    lacked a single integrated financial management system. The system could not be\n    readily accessed and used by financial and program managers without extensive\n    manipulation, excessive manual processing, and inefficient balancing of reports to\n    reconcile disbursements, collections, and general ledger data. PBGC\xe2\x80\x99s information\n    systems employed unsupported technologies that posed additional risk to the\n    availability of financially significant systems. Unsupported technologies added to\n    the challenges of integrating PBGC\xe2\x80\x99s systems in an IT infrastructure that lacked a\n    cohesive architecture and design.\n\n   Until these control weaknesses are corrected, PBGC\xe2\x80\x99s ability to accurately and\n   efficiently record, accumulate, and summarize information required for internal\n   and external financial reporting is impacted. The agency\xe2\x80\x99s ability to effectively and\n   efficiently maintain and modernize its existing IT environment depends, in a large\n   part, on how well it employs certain IT management controls that are embodied\n   in statutory requirements, Federal guidance, and best practices.  Among other\n   things, these controls include strategic planning and performance measurement,\n   portfolio-based investment management, human capital management, enterprise\n   architecture (and supporting segment architecture) development and use, and\n   establishing responsibility and accountability for modernization management.\n\n\nIn their response to this report, PBGC management concurred with the audit results\nand stated that they are committed to addressing the reported issues promptly.\nPBGC has begun to develop an overall strategy to improve its IT architecture and\ninfrastructure, but much work remains before the strategy can be completed and\nimplemented.\n\nSince our report was issued, PBGC provided information about its planning efforts\nto achieve three desired outcomes; (1) FISMA/NIST compliant infrastructure and\napplications; (2) a manageable and maintainable security program, and (3) a lower\n\n\n                                  Semiannual Report Of The Inspector General\xe2\x80\x94March 2010     9\n\x0c                           cost, less complex information technology footprint. Additionally, PBGC officials have\n                           provided their assessment that a timeframe of between three and five years would be\n                           needed to achieve these objectives.\n\n                           We have recently seen concrete steps by PBGC, such as the initiation of a new\n                           Enterprise Security Corrective Action Plan (CAP) and an interagency agreement with\n                           the Bureau of Public Debt to correct existing weaknesses in the agency\xe2\x80\x99s Certification\n                           and Accreditation process. While the planning process is not far enough along for us\n                           to evaluate its potential effectiveness, we agree that the planned outcomes are critical\n                           for PBGC. Success in achieving those outcomes would go far in resolving most or all of\n                           the reported IT issues.\n\nPBGC\xe2\x80\x99s IT leadership       Since the issuance of our report, we have witnessed a welcome increase in\n                           transparency in the communications between OIG and OIT. PBGC\xe2\x80\x99s IT leadership has\n has increased the\n                           been straightforward in addressing the challenges inherent in revitalizing PBGC\xe2\x80\x99s\n  transparency of          IT processes. Some of the challenges, like the continuous stream of new and ever-\n                           changing federal requirements, are shared by all federal entities. Others are unique\ncommunication with\n                           to PBGC.  For example, PBGC still has an acting Chief Information Officer, its system\n       OIG.                security expertise is still maturing, and trust-building is still a work-in-progess for OIT.\n\n\n                           Audit of the Pension Benefit Guaranty Corporation\xe2\x80\x99s\n                           Fiscal Year 2009 and 2008 Special-Purpose Financial Statements\n                           AUD-2010-3/FA-09-64-3\n                           (http://oig.pbgc.gov/audit/2010/pdf/FA-09-64-3.pdf )\n\n                           As part of the annual financial statements audit, Clifton Gunderson also audited the\n                           PBGC Fiscal Year 2009 and 2008 Special-Purpose Financial Statements.  The auditors\n                           concluded that the special-purpose financial statements and accompanying notes\n                           presented fairly, in all material respects, the financial position of PBGC as of September\n                           30, 2009 and 2008, and its net costs and changes in net position for the years then\n                           ended in conformity with accounting principles generally accepted in the United\n                           States of America and that the presentation was consistent with requirements of the\n                           U.S. Department of the Treasury (Treasury).\n\n                           PBGC prepares special-purpose financial statements to provide financial information\n                           to the Treasury and U.S. Government Accountability Office (GAO) through the\n                           Government-wide Financial Reporting System for GAO\xe2\x80\x99s use in preparing and auditing\n                           the Financial Report of the U.S. Government. The special purpose report is not\n                           intended to be a complete presentation of PBGC\xe2\x80\x99s financial statements. Rather, these\n                           special purpose financial statements link PBGC\xe2\x80\x99s audited financial statement to the\n                           Financial Report of the United States Government.\n\n\n\n\n                     10   PBGC Office of inspector general\n\x0cFiscal Year 2009 Financial Statements Audit Management Letter\nAUD-2010-4/FA-09-64-4 (not publicly available)\n\nThe annual financial statements audit process led to the identification of certain less\nsignificant matters related to PBGC internal control and operations that were not\nincluded in the internal control report (AUD-2010-2/FA-09-64-2), discussed above.\nThe management letter summarized findings and recommendations regarding those\nless significant matters and included the status of prior years\xe2\x80\x99 management letter\nrecommendations.\n\nWhile these management letter findings and recommendations were not material\ncontrol issues and were not material in dollar value, they are nonetheless important\nbecause they are intended to improve PBGC\xe2\x80\x99s internal control or result in other\noperational improvements. These management letter findings and recommendations\naddress areas such as\n                                                                                                    We issued a\n  \xe2\x80\xa2 payment and processing of benefit payments;                                                  management letter\n  \xe2\x80\xa2 contingency planning;                                                                        with other internal\n  \xe2\x80\xa2 accounting for premiums collected;\n                                                                                                   control issues.\n  \xe2\x80\xa2 controls over IT systems; and\n  \xe2\x80\xa2 internal processing of travel, personnel actions, and vehicle usage.\n\n\nIn responding to the management letter, PBGC leadership agreed with most of the\nrecommendations and provided planned corrective actions and estimated completion\ndates for those recommendations with which they agreed. PBGC management did\nnot agree with 10 of the 35 new recommendations. We continue to work closely\nwith the Corporation to reach agreement and an appropriate plan of action for the\nremaining recommendations.\n\n\nOIG\xe2\x80\x99s Audits and Investigations of\nPBGC\xe2\x80\x99s Information Security\nDuring this six-month reporting period, we issued three reports detailing the results of\nour audit of IT security issues and two Management Advisory Reports (MAR) resulting\nfrom investigation of reported potential IT security breaches. Additionally, we advised\nPBGC leadership of our concerns with the Corporation\xe2\x80\x99s reporting of IT security\nincidents.  Ongoing audit work, as of March 31, 2010, included two additional audits\naddressing specific aspects of PBGC\xe2\x80\x99s information security programs.\n\n\n\n\n                                    Semiannual Report Of The Inspector General\xe2\x80\x94March 2010   11\n\x0c                            FY 2009 Federal Information Security Management Act (FISMA)\n                            Submission to the Office of Management and Budget\n                            LTR-2010-5/FA-09-64-5\n                            (http://oig.pbgc.gov/audit/2010/pdf/fisma.pdf )\n\n                            The Federal Information Security Management Act (FISMA) requires federal entities\n Our vulnerability          to report annually to the Office of Management and Budget (OMB) the state of their\n                            information security. FISMA also requires Inspectors General to conduct independent\n assessment and\n                            annual evaluations of agencies\xe2\x80\x99 security programs and practices and to report the\npenetration testing         results to OMB.  In conjunction with the financial statement audit, we contracted with\n                            Clifton Gunderson to perform, under OIG oversight, an independent evaluation to\n found a number\n                            assess the effectiveness of PBGC\xe2\x80\x99s information security program and practices and\n of unremediated            to determine compliance with the requirements of FISMA and related information\n                            security policies, procedures, standards, and guidelines.\n   weaknesses.\n                            We reported deficiencies in PBGC\xe2\x80\x99s security management, access controls,\n                            configuration management, and segregation of duties. Control deficiencies were\n                            also found in policy administration and the Certification and Accreditation (C&A) of\n                            major applications and general support systems. Overall, PBGC needs to develop\n                            and implement a framework to improve its security posture, and this framework\n                            will require time for effective control processes to mature. The scope of this work\n                            was broader than the work done as part of our annual financial statements audit,\n                            because this evaluation addressed each of PBGC\xe2\x80\x99s major IT systems, not just those that\n                            supported the preparation of PBGC\xe2\x80\x99s financial statements. Based on the results of the\n                            review, the same types of issues that affected PBGC\xe2\x80\x99s financial systems also impacted\n                            its other critical IT systems.\n\n\n                            Fiscal Year 2009 Vulnerability Assessment,\n                            Penetration Testing, and Social Engineering Report\n                            EVAL-2010-6/FA-09-64-6\n                            (http://oig.pbgc.gov/audit/2010/pdf/FA-09-64-6.pdf )\n\n                            We contracted with Clifton Gunderson, LLP to assess PBGC\xe2\x80\x99s information security\n                            infrastructure to discover possible weaknesses in logical security controls. This work\n                            differed from other engagements, in that we attempted to exploit the discovered\n                            vulnerabilities so that we could learn the degree of control PBGC could expect\n                            an attacker to achieve after a successful penetration. During our assessment, we\n                            discovered live hosts residing on external and internal PBGC networks and conducted\n                            overt and covert vulnerability assessments on IP addresses in use.\n\n                            The assessment revealed a number of vulnerabilities and areas of concern. As a result\n                            of our findings, we recommended that PBGC management:\n\n                              \xe2\x80\xa2\t Ensure that PBGC systems have the most current patches and updates for all\n                                 systems; and\n\n\n\n\n                      12   PBGC Office of inspector general\n\x0c  \xe2\x80\xa2\t Implement standardized procedures, including best practices to strengthen or\n     harden the configuration of PBGC\xe2\x80\x99s operating systems and applications.\n\n\n\nFiscal Year 2009 Federal Information Security\nManagement Act (FISMA) Independent Evaluation Report\nEVAL-2010-7/FA-09-64-7\nhttp://oig.pbgc.gov/audit/2010/pdf/FA-09-64-7.pdf )\n\nAs a result of FISMA audit work, we issued a report to provide detailed information\non the results of our review of PBGC\xe2\x80\x99s information security program. Our evaluation\nshowed that PBGC has not established an effective information security program. The\nreport\xe2\x80\x99s 6 FISMA findings and 12 associated recommendations supplemented, but\ndid not duplicate the IT security findings and recommendations already presented\nin other audit reports.  For example, although the internal control report, discussed\nabove, includes 15 FISMA-related findings with 36 recommendations, those\nrecommendations were not repeated in this report.\n\nPBGC management\xe2\x80\x99s response to this report indicated general agreement with all\nrecommendations and provided specific responses for each recommendation. Where\nappropriate, PBGC is considering findings and recommendations relating to the FISMA\nreport as part of the comprehensive IT corrective action plan.\n\n\nPBGC\xe2\x80\x99s Corrective Action Plans for IT Issues\n                                                                                                PBGC reported on a\nDuring this six month period, PBGC\xe2\x80\x99s Acting Chief Information Officer (CIO) and                 comprehensive IT\nsenior IT leaders created a team to consider how to address the range of IT issues\nsystemically. Rather than considering each finding and recommendation in isolation,              corrective action\nthe team compared PBGC\xe2\x80\x99s IT infrastructure to the standards established in NIST                 plan with a 3-5 year\n800-53 Rev 3,  using  our OIG\xe2\x80\x99s audit reports, and PBGC\xe2\x80\x99s own internal assessment of\nIT controls as part of the review. The Acting CIO and IT department directors briefed                horizon.\nus regularly about the process and progress of the team.  From this inclusive and\ndisciplined approach, the team developed a plan that grouped processes into 14\n\xe2\x80\x9cprocess families.\xe2\x80\x9d  The plan identified inputs, outputs and applicable 800-53 controls,\nand mapped to the findings and recommendations in the various OIG reports. The\nteam prioritized the process families and created 14 individual corrective action plans.\nBased on the corrective actions plans, PBGC estimates it will take three to five years\nto achieve the desired outcome. Since the IT weaknesses developed over the course\nof many years, the established timeframe appears to be reasonable. OIT\xe2\x80\x99s recent\nefforts to keep OIG fully informed are helping us to better assess the efficiency and\neffectiveness of the steps being taken by PBGC to correct existing IT issues. We look\nforward to working with PBGC as it establishes an IT environment that is secure and in\ncompliance with all applicable standards.\n\n\n\n\n                                  Semiannual Report Of The Inspector General\xe2\x80\x94March 2010    13\n\x0c                         Protecting Sensitive and Personally Identifiable Information (PII)\n\n                         During the six-month reporting period, PBGC OIG has dedicated significant resources\n                         to ensuring that PBGC protects the sensitive information and PII with which it has been\nWe focused audit and     entrusted. PII maintained by PBGC includes plan participants\xe2\x80\x99 names, social security\n                         numbers, birthdates, addresses, and bank account numbers.  Further, PBGC maintains\n investigative work\n                         sensitive financial and investment information that should also be carefully protected\non PBGC\xe2\x80\x99s handling       from inadvertent loss or disclosure.\n\n   of personally         One of the greatest risks associated with PII is the loss of control of the information,\n    identifiable         whether by inadvertently sending the information to the wrong party, loss or theft\n                         of media containing the information, or a network infiltration, any one of which may\n    information.         result in a privacy breach. Such a breach could also place plan participants at risk of\n                         identity theft. Additionally, loss of PII can result in significant political, reputation and\n                         financial risks for the Corporation.  Examples of the kinds of threats addressed by OIG\n                         during this reporting period include:\n\n                           \xe2\x80\xa2\t PBGC Information Security Specialist recommended using a commercial copy\n                              center to transfer PII, in violation of PBGC policies and procedures. When a PBGC\n                              employee received a thumb drive containing participant data with 2,217 names\n                              and unique identifiers, the employee consulted both an Information Security\n                              Specialist and the PBGC Information Systems Security Officer to find out how to\n                              access the data safely. The PBGC Information Security Specialist suggested that\n                              the PBGC employee \xe2\x80\x9ctake it to Kinkos to have it scanned for viruses and copied to a\n                              CD.\xe2\x80\x9d  Following this incorrect advice, the PBGC employee used a commercial kiosk\n                              to transfer the data, thereby creating a security breach and potential compromise\n                              of PII.\n\n                             OIG investigators responded to the security breach by conducting a forensic\n                             analysis of the thumb drive to determine what type of participant data it\n                             contained. Kinko\xe2\x80\x99s management refused a consensual search of the kiosk used\n                             by the PBGC employee; thus we were prevented from determining whether any\n                             usable data was captured by the hard drive when the data was transferred. Our\n                             inspection of the machine showed that it did not have an attached keyboard, but\n                             did contain connection ports for media storage devices. The security breach was\n                             reported to the United States Computer Emergency Readiness Team (U. S. CERT)\n                             and OIG issued a MAR suggesting specific improvements to reduce the likelihood\n                             of similar breaches in the future.\n\n                           \xe2\x80\xa2\t PBGC Local Area Network (LAN) administrators were unaware of the location\n                              of a hard drive used to back up Office of General Counsel data. When an onsite\n                              LAN administrator reported that a hard drive was missing from a server array,  an\n                              OIG investigator traveled to Wilmington, Delaware, evaluated the situation and\n                              ultimately located the missing drive in a box along a wall in the server room. While\n                              this incident did not result in a security breach, troubling aspects that demonstrate\n                              the threat to the security of sensitive information include the fact that the array\n                              had been offline for several weeks before PBGC IT staff identified the situation\n\n\n                   14   PBGC Office of inspector general\n\x0c  and the fact that the LAN administrator did not know how long the drive had\n  been missing.  Further, despite physical security controls including an electronic\n  swipe pad and a key-controlled locking handle, IT staff were unable to determine\n  who had actually removed the hard drive from the array.  OIG issued a MAR\n  suggesting needed improvements, such as the need to keep drives in a controlled\n  environment, when not installed in servers.\n\n\xe2\x80\xa2\t OIG continued following up on PBGC actions to protect PII held by contract\n   actuaries. In prior semiannual reports, OIG described the loss of a thumb drive\n   containing PII and the actions that PBGC took in response to the loss. During this\n   reporting period, PBGC developed and began implementation of a compliance\n   plan to establish contractors\xe2\x80\x99 compliance with the Memoranda of Understanding\n   that provide guidance about the protection of PBGC data. The plan involves\n   quarterly site visits and onsite verification of required corrective actions. OIG\n   continues to monitor the implementation of the compliance plan and work with\n   PBGC to ensure protection of sensitive information.\n\n\xe2\x80\xa2\t Ongoing audit work addresses the security of PII maintained in the Actuarial\n   Calculation Toolkit (ACT). We are currently conducting an audit of PBGC\xe2\x80\x99s ACT\n   application, the agency\xe2\x80\x99s primary system for calculating a participant\xe2\x80\x99s benefit.\n   ACT contains PII for 1.3 million participants. This audit was initiated from a\n   whistleblower complaint related to the security of participants\xe2\x80\x99 PII. OIG was asked\n   to determine if participant data was being transferred to an unsecured application,\n   ACT,  that was non-compliant with the Federal Information Security Management\n   Act (FISMA).  We are currently determining if the whistleblower complaint has\n   merit; we expect to issue a report of our results to PBGC during the next semi-\n   annual period.\n                                                                                              PBGC responded\n\xe2\x80\xa2\t OIG identified unreported security breaches. During the FISMA review, we became\n   aware that PBGC\xe2\x80\x99s reporting of IT security incidents to United States - Computer            quickly when\n   Emergency Readiness Team (US-CERT) was not accurate and complete.  As a result,\n                                                                                                we identified\n   we reviewed PBGC\xe2\x80\x99s \xe2\x80\x9cBreach Spreadsheet FY 08-09\xe2\x80\x9d and \xe2\x80\x9cUS-CERT Operations\n   Incident & Event Summary.\xe2\x80\x9d  The Breach Spreadsheet is PBGC\xe2\x80\x99s internal record of            weaknesses in its\n   all US-CERT reported incidents, including:  date, department, number of affected\n                                                                                               reporting of IT\n   individuals, description of breach, whether the breach had been reported to\n   US-CERT, and resolution.  The US-CERT Operations Incident & Event Summary is           security breaches to\n   a report, based on an agency\xe2\x80\x99s reported security incidents, intended to provide\n   an overview of the incident and event trends observed by US-CERT that impact                   US-CERT.\n   PBGC.  OIG reconciled the PBGC prepared Breach Spreadsheet FY 08-09 to the\n   US-CERT Operations Incident & Event Summary.  We identified 6 incidents that\n   PBGC believed had been reported to US-CERT, but did not appear in the US-\n   CERT Summary.  On December 16, 2009, OIG met with PBGC officials to discuss\n   our findings. Upon further review, PBGC concurred that 5 out of the 6 incidents\n   identified by OIG had not actually been reported to US-CERT, as agency officials\n   had incorrectly believed.  As a result of our inquiry, PBGC reported to US-CERT the\n   security breach incidents identified by OIG.\n\n\n\n\n                                Semiannual Report Of The Inspector General\xe2\x80\x94March 2010    15\n\x0c                             \xe2\x80\xa2\t PBGC has committed to making the Corporation a model for handling sensitive\n                                information.  In March 2010, we reported that PBGC\xe2\x80\x99s Privacy Office did not\n                                properly monitor its privacy processes for quality and compliance.  Further, PBGC\xe2\x80\x99s\n                                process for reporting PII events was inaccurate and unverifiable and technical\n                                controls (e.g., encryption of laptop computers) required strengthening. The\n                                Corporation took immediate measures to begin addressing reported concerns.\n                                Some actions directly addressed OIG\xe2\x80\x99s recommendations; for example, specific\n                                guidance and procedures have been developed for privacy staff to follow in\n                                reporting security incidents involving PII disclosure to U.S. CERT.  To their credit,\n                                PBGC\xe2\x80\x99s actions were not limited to the specific recommendations included in OIG\xe2\x80\x99s\n                                report. PBGC has begun reexamining its privacy program and is surveying other\n                                federal agencies to identify best practices, with the stated intention of making\n                                PBGC a model for handling sensitive information. While it is too early to determine\n                                how successful PBGC\xe2\x80\x99s efforts will be, the Corporation\xe2\x80\x99s positive reaction to OIG\xe2\x80\x99s\n                                findings increases the likelihood that PBGC will be able to properly protect the PII\n                                and other sensitive information with which it has been entrusted.\n\n\n\n PBGC has a record         PBGC and OIG Working to Address Backlog of\nnumber of open audit\n                           Unimplemented Audit Recommendations\n recommendations.\n                           As of March 31, 2010, a total of 201 audit recommendations remain open in the\n                           following areas.\n\n\n\n\n                           Of the 201 recommendations, 134 have been open more than 6 months and about\n                           40% of the recommendations have been open for 2 or more years. The following\n                           chart shows the distribution of recommendations by topic.\n\n\n\n\n                     16   PBGC Office of inspector general\n\x0cOur audit recommendations address a range of issues, from the most serious problem\naffecting PBGC to relatively minor compliance issues.  Forty-eight of the unimplemented\nrecommendations deal with contracting and procurement issues. We have begun\nworking with PBGC to develop a more effective approach to manage Contracting\nOfficer\xe2\x80\x99s Technical Representatives (COTR) to achieve positive contract outcomes.\n\nWe are working closely with PBGC to emphasize the importance of implementing open\naudit recommendations.  OMB Circular A-50 notes that \xe2\x80\x9cCorrective action taken by\nmanagement on resolved findings and recommendations is essential to improving the\neffectiveness and efficiency of government operations.\xe2\x80\x9d\n\n\nCongressional Request \xe2\x80\x93 PBGC\xe2\x80\x99s Most Critical Open\nRecommendations\nRepresentative Darrell Issa (R - CA) wrote to each member of the Inspector General\ncommunity requesting a report on the number of open audit recommendations and the                    In response to a\nagency\xe2\x80\x99s progress in closing recommendations since a prior request in January 2009.  \n                                                                                               Congressional request,\nWe were also asked to identify three open audit recommendations that we consider\nto be of critical importance for our agencies. Implementation of the following key              we identified PBGC\xe2\x80\x99S\nrecommendations is important to the future success of PBGC.\n                                                                                                    most critical open\n\n \xe2\x80\xa2   PBGC should complete the certification and accreditation for all major IT                      recommendations.\n     applications and general support systems. While this recommendation, as well as\n     others related to PBGC\xe2\x80\x99s information security, will not be fully implemented in the\n     near future, PBGC has begun to actively address serious information technology\n     issues and the substantial risks they pose for PBGC\xe2\x80\x99s ability to carry out its mission.\n     PBGC has recently taken important first steps toward correcting existing weaknesses.\n     We have been encouraged by the transparency in recent communication between\n     OIG and PBGC\xe2\x80\x99s Office of Information Technology.\n\n\n\n\n                                    Semiannual Report Of The Inspector General\xe2\x80\x94March 2010      17\n\x0c         \xe2\x80\xa2\t PBGC should develop written guidelines for the Securities Lending Program.  \n            We continue to work closely with PBGC management as this important\n            guidance is being developed. The Corporation has been responsive to our\n            feedback; we look forward to the resulting enhancements.\n\n\n         \xe2\x80\xa2\t PBGC should create a single source for PBGC procurement procedures\n            and assign responsibility for monitoring contract administration. This\n            recommendation encompasses many of the other open contracting-related\n            recommendations. PBGC has recently committed to working with OIG to\n            ensure that these outstanding recommendations are implemented fully both\n            in letter and spirit. We appreciate this commitment and stand ready to assist\n            in working through the backlog of procurement recommendations.\n\n\n       Other OIG Reporting\n       Access to Information\n\n       Under the Inspector General Act, the Inspector General is to have unfettered\n       access to all agency records, information, or assistance when engaged in an\n       investigation or audit. Whenever access to requested records, information, or\n       assistance is unreasonably refused or not provided, the Inspector General must\n       promptly report the denial to the agency head. We have not been denied access\n       nor has assistance been unreasonably refused during this reporting period.\n\n\n       Management Decisions\n\n       The Inspector General is required to report the following about management\n       decisions on audit reports that occurred during this six-month period:\n\n         \xe2\x80\xa2   There are 9 audit reports for which management decisions are pending (see\n             Appendix, pages 24-25).\n         \xe2\x80\xa2   There were no significantly revised management decisions.\n         \xe2\x80\xa2   There were no management decisions with which the Inspector General did\n             not agree.\n\n\n\n\n18   PBGC Office of inspector general\n\x0cOther Office of Inspector\nGeneral Activities\nReview of Proposed Statutory and Regulatory Changes\nA major responsibility of the OIG under the Inspector General Act is the independent\nreview of PBGC-proposed changes to laws and regulations. There were no significant\nPBGC statutory proposals this period, and OIG did not review any new proposed\nregulations.\n\n\nCongress Remains Concerned About Inspector General\nIndependence\nThe OIG continued to communicate with Congress about Inspector General\nindependence and proposals to change the appointment process of the Inspectors\nGeneral at five independent federal entities from agency-head appointed to\nPresidentially-appointed and Senate-confirmed. PBGC was one of the five agencies\nnamed in the bill, along with the Board of Governors of the Federal Reserve,\nCommodities Futures Trading Commission, National Credit Union Administration, and\nthe Securities and Exchange Commission.  In bills for comprehensive financial reform,\nboth the House and Senate included provisions to make these five Inspectors General\nsubject to presidential-appointment. Rather than focusing on these five Inspectors\nGeneral, an amendment to the Senate financial reform bill proposes that each Inspector\nGeneral at a designated federal entity report to the entity\xe2\x80\x99s full Board or Commission if\nsuch exists.\n\n                                                                                                  We issued a fixed-\nWe continue to meet with Congressional staff to develop proposals to positively impact\nInspector General independence.                                                                  price contract to an\n\nOther Activities                                                                                 independent public\n\n                                                                                                 accounting firm to\nCompetitive Procurement for Financial Statement Audit\n                                                                                             conduct the financial\n\nThe OIG conducted a full and open competition to obtain an independent public                     statement audits,\naccounting (IPA) firm to perform the annual audit of PBGC\xe2\x80\x99s financial statements. As\n                                                                                                 information security\npart of the financial statement audit work, we require an opinion on internal control,\na management letter to report internal control issues of lesser significance, work to             testing and FISMA\ntest and report on compliance with the Federal Information Security Management Act\n                                                                                                        work.\n(FISMA) requirement, and an information technology vulnerability assessment and\npenetration testing.\n\nAs a result of the competition, we awarded a fixed-price contract to Clifton Gunderson\nLLP for a base year plus four option years.\n\n\n\n                                   Semiannual Report Of The Inspector General\xe2\x80\x94March 2010    19\n\x0c                          External and Internal Professional Activities\n\n                          Various staff members participated in external and internal professional activities.\n                          Examples include:\n\n                            \xe2\x80\xa2  The IG participates in the Council of Inspectors General for Integrity and Efficiency\n                               (CIGIE) that promotes collaboration on integrity, economy, and efficiency issues\n                               that transcend individual agencies.  Ms. Batts serves as the co-chair of the CIGIE\n                               Information Technology Committee and as a member of the Audit Committee.\nWe encourage OIG               She also serves as the CIGIE delegate to the Chief Financial Officer\xe2\x80\x99s Council.  In the\n                               Federal Financial Regulatory Inspectors General group, she joins with other IGs to\n  staff members\n                               discuss common financial concerns and the work each is doing.\n to participate in          \xe2\x80\xa2\t The Assistant IG for Audits serves on  the Accounting and Audit Policy Committee\nexternal activities.           (AAPC) which  is a permanent committee established by the Federal Accounting\n                               Standards Advisory Board. Federal accounting standards and financial reporting\n                               play a major role in fulfilling the government\xe2\x80\x99s duty to be publicly accountable. The\n                               AAPC issues technical releases related to existing Federal accounting standards.\n                               AAPC\xe2\x80\x99s technical releases are a form of authoritative guidance for generally\n                               accepted accounting principles for Federal entities. During this period, the AAPC\n                               issued Technical Release (TR) 10 Implementation Guidance on Asbestos Cleanup\n                               Costs Associated with Facilities and Installed Equipment and TR 11 Implementation\n                               Guidance on Cleanup Costs Associated with Equipment.\n                            \xe2\x80\xa2\t The IG and the Assistant IG for Audit participated in a roundtable at the AAPC to\n                               provide views on the use of generally accepted accounting principles (GAAP) as\n                               used by the public sector.\n                            \xe2\x80\xa2\t The Assistant IG for Investigations continues to serve as a non-voting member\n                               of PBGC\xe2\x80\x99s Internal Control Committee, providing insight gained through his\n                               experience as a criminal investigator to those responsible for oversight and\n                               accountability of PBGC internal controls. Effective control systems may detect fraud\n                               or deliberate non-compliance with policies, regulations, or laws.\n                            \xe2\x80\xa2\t The Special Agent-in-Charge participates in the National Procurement Fraud Task\n                               Force sponsored by the U.S. Department of Justice.\n                            \xe2\x80\xa2\t The IG and the Deputy IG  are mentoring non-OIG staff as part of PBGC\xe2\x80\x99s\n                               intentional mentoring programs.\n                            \xe2\x80\xa2\t One of our senior auditors attends the Interagency Fraud and Risk Data Mining\n                               Group (IFRDMG) quarterly meeting and training sessions.  IFRDMG meets to\n                               share information amongst OIGs concerning the latest data analysis techniques,\n                               accomplishments using data analytics, recommended data mining software and\n                               related training.\n\n\n\n\n                     20   PBGC Office of inspector general\n\x0cAppendix\nCROSS-REFERENCE TO REPORTING REQUIREMENTS\nOF THE INSPECTOR GENERAL ACT\n\nThe table below cross-references the reporting requirements prescribed by the Inspector General Act of 1978, as\namended, to the specific pages in the report where they are addressed.\n\nInspector General\nAct Reference\t         Reporting Requirements\t                              Page\nSection 4(a)(2)\t       Review of legislation and regulations.\t              19\nSection 5(a)(1)\t       Significant problems, abuses, and deficiencies.\t     5-17\nSection 5(a)(2)\t       Recommendations with respect to significant \t        5-17\n\t                      problems, abuses, and deficiencies.\t\nSection 5(a)(3)\t       Prior significant recommendations on which\t          16-17\n\t                      corrective action has not been completed.\t\nSection 5(a)(4)\t       Matters referred to prosecutorial authorities.\t      22\nSection 5(a)(5)\t       Summary of instances in which information \t          18\n\t                      was refused.\t\nSection 5(a)(6)\t       List of audit reports by subject matter, showing \t 23\n\t                      dollar value of questioned costs and\n\t                      recommendations that funds be put to better use.\t\nSection 5(a)(7)\t       Summary of each particularly significant report. \t   5-18\nSection 5(a)(8)\t       Statistical table showing number of reports and \t    23\n\t                      dollar value of questioned costs.\t\nSection 5(a)(9)\t       Statistical table showing number of reports and \t    23\n\t                      dollar value of recommendations that funds be\n\t                      put to better use.\t\nSection 5(a)(10)\t      Summary of each audit report issued before this \t 24-25\n\t                      reporting period for which no management\n\t                      decision was made by end of the reporting period.\t\nSection 5(a)(11)\t      Significant revised management decisions.\t           18\nSection 5(a)(12)\t      Significant management decisions with which \t        18\n\t                      the Inspector General disagrees.\t\n\t\t\n\n\n\n\n                                                 Semiannual Report Of The Inspector General\xe2\x80\x94March 2010     21\n\x0cSUMMARY OF AUDIT AND INVESTIGATIVE ACTIVITIES\nFor the Six-Month Period Ending March 31, 2010\n\nAudit Reports Issued\n\t   Number of Reports\t                                             7\n\t   Number of Recommendations\t                                    67\nManagement Decisions\n\t   Open Recommendations Beginning of Period\t                    143\n\t   Opened this Period\t                                           67\n\t   Closed This Period\t                                            9\n\t   Open Recommendations End of Period\t                          201\n\t   Reports with Open Recommendations End of Period\t              40\nInvestigations\n\t   Pending Beginning of Period\t                                  15\n\t   Opened\t                                                        3\n\t   Closed\t                                                       11\n\t   Pending End of Period\t                                         7\nComplaints1\n\t  Pending Beginning of Period\t                                    7\n\t  Opened\t                                                        33\n\t  Closed\t                                                        31\n\t  Pending End of Period\t                                          9\nFinancial Recoveries2\n\t   Theft of Funds Recovered\t                                    $0\n\t   Court Ordered Fines, Penalties, and Restitution\t         $2,100\n\t   U.S. Government Property Recovered\t                          $0\nCriminal Actions2\n\t   Arrests\t                                                       0\n\t   Indictments\t                                                   1\n\t   Convictions\t                                                   1\n\nAdministrative Actions2\t                                           0\n\t\n\nReferrals\n\t   For Prosecution:\n\t\t Department of Justice\t                                          0\n\t   Various States\xe2\x80\x99 Attorney Offices\t                              1\n\t\t         Declined\t                                               1\n\t   For Other Action:\n\t   \t     PBGC Management for Corrective Action\t                   2\n     1\n      Complaints include allegations received through the hotline operation and issues resulting from proactive\n       investigative efforts.\n     2\n      Results reported for Financial Recoveries, Criminal, and Administrative Actions include both open and closed cases.\n\n\n\n\n                     22         PBGC Office of inspector general\n\x0cRESULTS OF REPORTS ISSUED\nFor the Six-Month Period Ending March 31, 2010\n                                                            Number         Questioned    Unsupported     Funds Put to\n                                                           of Reports            Costs      Costs         Better Use\n A.  For which no management decision had                         10         $686,960               $0             $0\n     been made by the commencement of the\n     reporting period.\n B. Which were issued during the reporting period.                 7\n      Audit of the Pension Benefit Guaranty                                        $0               $0             $0\n        Corporation\xe2\x80\x99s Fiscal Year 2009 and 2008\n        Financial Statements (11/12/09)\n      Report on Internal Control Related to the                                    $0               $0             $0\n        Pension Benefit Guaranty Corporation\xe2\x80\x99s Fiscal\n        Year 2009 and 2008 Financial Statements\n        Audit (11/12/09)\n      Audit of the Pension Benefit Guaranty                                        $0               $0             $0\n        Corporation\xe2\x80\x99s Fiscal Year 2009 and 2008\n        Special-Purpose Financial Statements\n        (11/16/09)\n                                                                                   $0               $0             $0\n      FY 2009 Federal Information Security\n         Management Act (FISMA)Submission to\n         the Office of Management and Budget\n         (11/18/09)\n      Fiscal Year 2009 Financial Statements Audit\n         Management Letter (2/23/10)\n      Fiscal Year 2009 Vulnerability Assessment,\n         Penetration Testing, and Social Engineering\n         Report (3/2/10)\n      Fiscal Year 2009 Federal Information Security\n         Management Act (FISMA) Independent\n         Evaluation Report 3/22/10)\n Total                                                             7\n\n        Subtotal (Add A. & B.)                                    17         $686,960               $0             $0\n\n C.  For which a management decision was made                      7         $245,716               $0             $0\n     during the reporting period.\n\n        (i) dollar value of disallowed costs                                 $176,833               $0             $0\n\n        (ii) dollar value of costs not disallowed                             $68,833               $0             $0\n\n D.  For which no management decision had been                    10         $441.244               $0             $0\n    made by the end of the reporting period.\n E.\t For which no management decision was made                    10         $441,244               $0             $0\n     within six months of issuance.\n 1\n     Unsupported costs are a subset of questioned costs.\n                                                      Semiannual Report Of The Inspector General\xe2\x80\x94March 2010       23\n\x0cSUMMARY OF REPORTS OLDER THAN SIX MONTHS FOR WHICH\nMANAGEMENT DECISION HAS NOT BEEN ACHIEVED\n\n                                                                                                  Anticipated\n Report and Summary                                      Reason For No Management Decision        Management\n                                                                                                   Decision\n FY 2004 Financial Statement Management Letter,          This report was re-opened on August       9/30/2010\n   2005-10/ 23182-6 (3/21/05)                            21, 2009, based on OIG\xe2\x80\x99s discovery\n                                                         that PBGC had incorrectly reported the\n                                                         establishment of Standard Operating\nEstablish and document detailed policies and             Procedures that implemented OIG\nprocedures regarding deobligation of funds.              recommendations.\n\n Procurement Activities Related to Award of                                                        7/30/2010\n   Morneau Sobeco Contracts, 2005-18/CA-0008-1           This report was re-opened on August\n   (9/29/05)                                             21, 2009, based on OIG\xe2\x80\x99s discovery\n                                                         that PBGC had incorrectly reported the\nEstablish and document detailed policies and             establishment of Standard Operating\nprocedures for procurement activities, including         Procedures that implemented OIG\nduties of Contracting Officer, Contract Specialist and   recommendations.\nCompetition Advocate..\n\n Costs Claimed by Morneau Sobeco, 2005-19/                                                        8/30/2010\n   CA-0008-2 (9/29/05)                                   This report was re-opened on August\n                                                         21, 2009, based on OIG\xe2\x80\x99s discovery\nCOTR should document actions, including invoice          that PBGC had incorrectly reported the\nreview and acceptance of deliverables, and ensure        establishment of Standard Operating\ncontractor complies with contract requirements.          Procedures that implemented OIG\n                                                         recommendations.\n\n\n Procurement Cycle Performance Audit, 2006-9/            This report was re-opened on August       8/30/2010\n   CA-0010 (3/16/06)                                     21, 2009, based on OIG\xe2\x80\x99s discovery\n                                                         that PBGC had incorrectly reported the\nEstablish and document detailed policies and             establishment of Standard Operating\nprocedures of procurement activities.                    Procedures that implemented OIG\n                                                         recommendations.\n\n Examination of Contract Termination Proposal,           Management continues to review this       8/30/2010\n   2006-14/CA-0013 (9/29/06)                             report.\n\n\nQuestioned Costs of $197,035 because the contractor\ndid not effectively manage its employees and allowed\nidle time to be billed as a direct expense.\n\n\n\n\n                      24     PBGC Office of inspector general\n\x0cSUMMARY OF REPORTS OLDER THAN SIX MONTHS FOR WHICH\nMANAGEMENT DECISION HAS NOT BEEN ACHIEVED\n\n                                                                                                Anticipated\n Report and Summary                                     Reason For No Management Decision       Management\n                                                                                                 Decision\n Incurred Cost Audit, 2006-16/CA-0013 (9/27/06)         Management continues to review this      8/30/2010\n                                                        report.\nQuestioned Costs of $146,628 for unallowable\ncosts associated with the use of the actual indirect\nrates instead of the forward pricing indirect rates;\nunallowable facility costs; and unsupported purchased\nlabor costs.\n\n Incurred Cost Audit, 2007-13/CA-0038-1 (9/27/07)       Management continues to review            6/30/2010\n     and                                                these reports involving the same\n                                                        contractor.\n Incurred Cost Audit, 2007-14/CA-0038-2 (9/27/07)\n\n\nImplementation of corrective actions with contractor\nneeded to prevent unsupported and erroneous\ndocumentation for labor hour billings; erroneous and\nunapproved billings; and unverified education and\nexperience for contractor employees.\n\n Incurred Cost Audit, 2008-09/CA-0054 (9/30/2008)       Management decision is pending            8/30/2010\n                                                        as it awaits DCAA\xe2\x80\x99s completion of its\n                                                        incurred cost audit and settlement of\nQuestioned Costs of $97,581 for unallowable costs       indirect cost rates.\nassociated with the use of unaudited indirect cost\nrates.\n\n\n\n\n                                                 Semiannual Report Of The Inspector General\xe2\x80\x94March 2010        25\n\x0cPREVIOUSLY REPORTED SIGNIFICANT RECOMMENDATIONS\nFOR WHICH CORRECTIVE ACTION HAS NOT BEEN COMPLETED\n\n                                      Number of\nReport Number, Report Title and                                Significant Problems Summary of Significant\n                                      Significant\nDate Issued                                                    and Deficiencies     Recommendations\n                                      Recommendations\n96-4/23093-2                                                   Significant             PBGC needs to complete the\nAudit of the Pension Benefit                                   Deficiency:             integration of its financial\nGuaranty Corporation\xe2\x80\x99s Fiscal                                  Integrating             management systems.\nYear 1995 Financial Statements                                 Financial\n03/13/1996                                                     Management\nand                                                            Systems\n                                               1\nAUD-2008-2/ FA-09-0034-2\nLimited Disclosure Report on\nInternal Control - PBGC\xe2\x80\x99s FY 2007\nand 2006 Financial Statements Audit\n11/15/2007\n\n2003-3/23168-2                                                 Signficant              PBGC needs to complete its\nAudit of the Pension Benefit                                   Deficiency:             efforts to fully implement\nGuaranty Corporation\xe2\x80\x99s Fiscal Years                            Entity-Wide             and enforce an effective\n2002 - 2001 Financial Statements                               Information             information security program.\n01/30/2003                                                     Security Program\n     and                                                       Planning &\n                                               2\nAUD-2008-2/ FA-09-0034-2                                       Management\nLimited Disclosure Report on\nInternal Control - PBGC\xe2\x80\x99s FY 2007\nand 2006 Financial Statements Audit\n11/15/2007\n\n2003-10/23177-2                                                Control weaknesses      PBGC needs to ensure that its\nReview of PBGC\xe2\x80\x99s Premium                                       undermine the           automated system produces\nAccounting System                                              quality and integrity   accurate and verifiable\n                                               3\n10/10/2003                                                     of reported             premium accounting data.\n                                                               premium revenues.\n\n2008-1/FA-0034-1                                               Significant             PBGC needs to mitigate the\nAudit of the Pension Benefit                                   Deficiency:             systemic issues related to\nGuaranty Corporation\xe2\x80\x99s Fiscal Years                            Access Contols          information access controls.\n2007 - 2006 Financial Statements\n11/15/2007\n      and\n                                               11\nAUD-2008-2/ FA-09-0034-2\nLimited Disclosure Report on\nInternal Control - PBGC\xe2\x80\x99s FY 2007\nand 2006 Financial Statements Audit\n11/15/2007\n\n\n\n                    26      PBGC Office of inspector general\n\x0cPREVIOUSLY REPORTED SIGNIFICANT RECOMMENDATIONS\nFOR WHICH CORRECTIVE ACTION HAS NOT BEEN COMPLETED\n\n                                        Number of\nReport Number, Report Title and                                Significant Problems Summary of Significant\n                                        Significant\nDate Issued                                                    and Deficiencies     Recommendations\n                                        Recommendations\nAUD-2009-01/FA-08-49-1                                         Significant            PBGC needs to complete the\nAudit of the Pension Benefit                                   Deficiency:            design, implementation and\nGuaranty Corporation\xe2\x80\x99s Fiscal Years                            Entity-Wide            testing of security controls,\n2008 and 2007 Financial Statements                             Information Security   implement an effective\n11/13/2008                                                     Program & Planning     certification and review\n    and                                           5            Management             process, and correct identified\nAUD-2009-02/FA-08-49-2                                                                access control vulnerabilities.\nLimited Disclosure Report on\nInternal Controls \xe2\x80\x93 PBGC\xe2\x80\x99s FY 2008\nand 2007 Financial Statements\n11/13/09\n\n\n\n\nThis chart complies with Section 5(a)(1), (2) and (3) of the Inspector General Act of 1978, as amended.\n\n\n\n\n                                                 Semiannual Report Of The Inspector General\xe2\x80\x94March 2010           27\n\x0c\x0c'